
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
      <meta charset="UTF-8"/>
      <title>SpotBugs Report</title>
      <style type="text/css">
		.tablerow0 {
			background: #EEEEEE;
		}

		.tablerow1 {
			background: white;
		}

		.detailrow0 {
			background: #EEEEEE;
		}

		.detailrow1 {
			background: white;
		}

		.tableheader {
			background: #b9b9fe;
			font-size: larger;
		}
		</style>
   </head>
   <body>
      <h1>SpotBugs Report</h1>
      <p>Produced using <a href="https://spotbugs.github.io">SpotBugs</a>4.4.2.</p>
      <p>Project: 
			jpacman[jpacman.defaultTest]</p>
      <h2>Metrics</h2>
      <p>381 lines of code analyzed,
	in 9 classes, 
	in 7 packages.</p>
      <table width="500" cellpadding="5" cellspacing="2">
         <tr class="tableheader">
            <th align="left">Metric</th>
            <th align="right">Total</th>
            <th align="right">Density*</th>
         </tr>
         <tr class="tablerow0">
            <td>High Priority Warnings</td>
            <td align="right">1</td>
            <td align="right">2.62</td>
         </tr>
         <tr class="tablerow1">
            <td>Medium Priority Warnings</td>
            <td align="right">2</td>
            <td align="right">5.25</td>
         </tr>
         <tr class="$totalClass">
            <td>
               <b>Total Warnings</b>
            </td>
            <td align="right">
               <b>3</b>
            </td>
            <td align="right">
               <b>7.87</b>
            </td>
         </tr>
      </table>
      <p>
         <i>(* Defects per Thousand lines of non-commenting source statements)</i>
      </p>
      <p>
         <br/>
         <br/>
      </p>
      <h2>Summary</h2>
      <table width="500" cellpadding="5" cellspacing="2">
         <tr class="tableheader">
            <th align="left">Warning Type</th>
            <th align="right">Number</th>
         </tr>
         <tr class="tablerow0">
            <td>
               <a href="#Warnings_BAD_PRACTICE">Bad practice Warnings</a>
            </td>
            <td align="right">1</td>
         </tr>
         <tr class="tablerow1">
            <td>
               <a href="#Warnings_PERFORMANCE">Performance Warnings</a>
            </td>
            <td align="right">1</td>
         </tr>
         <tr class="tablerow0">
            <td>
               <a href="#Warnings_SECURITY">Security Warnings</a>
            </td>
            <td align="right">1</td>
         </tr>
         <tr class="tablerow1">
            <td>
               <b>Total</b>
            </td>
            <td align="right">
               <b>3</b>
            </td>
         </tr>
      </table>
      <p>
         <br/>
         <br/>
      </p>
      <h1>Warnings</h1>
      <p>Click on each warning link to see a full description of the issue, and
	    details of how to resolve it.</p>
      <h2>
         <a name="Warnings_BAD_PRACTICE">Bad practice Warnings</a>
      </h2>
      <table class="warningtable"
             width="100%"
             cellspacing="2"
             cellpadding="5">
         <tr class="tableheader">
            <th align="left">Warning</th>
            <th align="left">Priority</th>
            <th align="left">Details</th>
         </tr>
         <tr class="tablerow1">
            <td width="20%" valign="top">
               <a href="#DMI_RANDOM_USED_ONLY_ONCE">Random object created and used only once</a>
            </td>
            <td width="10%" valign="top">High</td>
            <td width="70%">
               <p>Random object created and used only once in nl.tudelft.jpacman.fuzzer.JPacmanFuzzer.getRandomDirection()<br/>
                  <br/>
                  <br/>In file JPacmanFuzzer.java JPacmanFuzzer.java,
					
						line 109 109<br/>In class nl.tudelft.jpacman.fuzzer.JPacmanFuzzer<br/>In method nl.tudelft.jpacman.fuzzer.JPacmanFuzzer.getRandomDirection()<br/>Called method java.util.Random.nextInt(int)<br/>At JPacmanFuzzer.java:[line 109]<br/>At JPacmanFuzzer.java:[line 109]</p>
            </td>
         </tr>
      </table>
      <p>
         <br/>
         <br/>
      </p>
      <h2>
         <a name="Warnings_PERFORMANCE">Performance Warnings</a>
      </h2>
      <table class="warningtable"
             width="100%"
             cellspacing="2"
             cellpadding="5">
         <tr class="tableheader">
            <th align="left">Warning</th>
            <th align="left">Priority</th>
            <th align="left">Details</th>
         </tr>
         <tr class="tablerow1">
            <td width="20%" valign="top">
               <a href="#IOI_USE_OF_FILE_STREAM_CONSTRUCTORS">Method uses a FileInputStream or FileOutputStream constructor</a>
            </td>
            <td width="10%" valign="top">Medium</td>
            <td width="70%">
               <p>Method nl.tudelft.jpacman.fuzzer.JPacmanFuzzer.fuzzerTest(RepetitionInfo) uses a FileInputStream or FileOutputStream constructor<br/>
                  <br/>
                  <br/>In file JPacmanFuzzer.java,
					
						line 85<br/>In class nl.tudelft.jpacman.fuzzer.JPacmanFuzzer<br/>In method nl.tudelft.jpacman.fuzzer.JPacmanFuzzer.fuzzerTest(RepetitionInfo)<br/>At JPacmanFuzzer.java:[line 85]</p>
            </td>
         </tr>
      </table>
      <p>
         <br/>
         <br/>
      </p>
      <h2>
         <a name="Warnings_SECURITY">Security Warnings</a>
      </h2>
      <table class="warningtable"
             width="100%"
             cellspacing="2"
             cellpadding="5">
         <tr class="tableheader">
            <th align="left">Warning</th>
            <th align="left">Priority</th>
            <th align="left">Details</th>
         </tr>
         <tr class="tablerow1">
            <td width="20%" valign="top">
               <a href="#PREDICTABLE_RANDOM">Predictable pseudorandom number generator</a>
            </td>
            <td width="10%" valign="top">Medium</td>
            <td width="70%">
               <p>This random generator (java.util.Random) is predictable<br/>
                  <br/>
                  <br/>In file JPacmanFuzzer.java,
					
						line 109<br/>In class nl.tudelft.jpacman.fuzzer.JPacmanFuzzer<br/>In method nl.tudelft.jpacman.fuzzer.JPacmanFuzzer.getRandomDirection()<br/>At JPacmanFuzzer.java:[line 109]<br/>Value java.util.Random</p>
            </td>
         </tr>
      </table>
      <p>
         <br/>
         <br/>
      </p>
      <p>
         <br/>
         <br/>
      </p>
      <h1>
         <a name="Details">Warning Types</a>
      </h1>
      <h2>
         <a name="DMI_RANDOM_USED_ONLY_ONCE">Random object created and used only once</a>
      </h2>

<p> This code creates a java.util.Random object, uses it to generate one random number, and then discards
the Random object. This produces mediocre quality random numbers and is inefficient.
If possible, rewrite the code so that the Random object is created once and saved, and each time a new random number
is required invoke a method on the existing Random object to obtain it.
</p>

<p>If it is important that the generated Random numbers not be guessable, you <em>must</em> not create a new Random for each random
number; the values are too easily guessable. You should strongly consider using a java.security.SecureRandom instead
(and avoid allocating a new SecureRandom for each random number needed).
</p>

    <p>
         <br/>
         <br/>
      </p>
      <h2>
         <a name="IOI_USE_OF_FILE_STREAM_CONSTRUCTORS">Method uses a FileInputStream or FileOutputStream constructor</a>
      </h2>
    		
    		<p>This method creates and uses a java.io.FileInputStream or java.io.FileOutputStream object. Unfortunately both
    		of these classes implement a finalize method, which means that objects created will likely hang around until a
    		full garbage collection occurs, which will leave excessive garbage on the heap for longer, and potentially much
    		longer than expected. Java 7 introduced two ways to create streams for reading and writing files that do not have this concern.
    		You should consider switching from these above classes to
    		<code>
    		InputStream is = java.nio.file.Files.newInputStream(myfile.toPath());
    		OutputStream os = java.nio.file.Files.newOutputStream(myfile.toPath());
    		</code>
    		</p>
    		
    	<p>
         <br/>
         <br/>
      </p>
      <h2>
         <a name="PREDICTABLE_RANDOM">Predictable pseudorandom number generator</a>
      </h2>
            
<p>The use of a predictable random value can lead to vulnerabilities when used in certain security critical contexts. For example, when the value is used as:</p>
<ul>
<li>a CSRF token: a predictable token can lead to a CSRF attack as an attacker will know the value of the token</li>
<li>a password reset token (sent by email): a predictable password token can lead to an account takeover, since an attacker will guess the URL of the "change password" form</li>
<li>any other secret value</li>
</ul>
<p>
A quick fix could be to replace the use of <code>java.util.Random</code> with something stronger, such as <code>java.security.SecureRandom</code>.
</p>
<p>
<b>Vulnerable Code:</b><br/>
<pre>String generateSecretToken() {
    Random r = new Random();
    return Long.toHexString(r.nextLong());
}</pre>
</p>
<p>
<b>Solution:</b>
<pre>import org.apache.commons.codec.binary.Hex;

String generateSecretToken() {
    SecureRandom secRandom = new SecureRandom();

    byte[] result = new byte[32];
    secRandom.nextBytes(result);
    return Hex.encodeHexString(result);
}</pre>
</p>
<br/>
<p>
<b>References</b><br/>
<a href="https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html">Cracking Random Number Generators - Part 1 (https://jazzy.id.au)</a><br/>
<a href="https://www.securecoding.cert.org/confluence/display/java/MSC02-J.+Generate+strong+random+numbers">CERT: MSC02-J. Generate strong random numbers</a><br/>
<a href="https://cwe.mitre.org/data/definitions/330.html">CWE-330: Use of Insufficiently Random Values</a><br/>
<a href="https://blog.h3xstream.com/2014/12/predicting-struts-csrf-token-cve-2014.html">Predicting Struts CSRF Token (Example of real-life vulnerability and exploitation)</a>
</p>

        <p>
         <br/>
         <br/>
      </p>
   </body>
</html>
